From owner-freebsd-net Mon May 29 14:32:45 2000 Delivered-To: freebsd-net@freebsd.org Received: from campbell.cwx.net (Campbell.cwx.net [216.17.176.12]) by hub.freebsd.org (Postfix) with ESMTP id 1BD9C37B603 for ; Mon, 29 May 2000 14:32:40 -0700 (PDT) (envelope-from allenc@campbell.cwx.net) Received: (from allenc@localhost) by campbell.cwx.net (8.9.3/8.9.3) id PAA22232 for freebsd-net@freebsd.org; Mon, 29 May 2000 15:32:38 -0600 (MDT) (envelope-from allenc) Date: Mon, 29 May 2000 15:32:38 -0600 (MDT) From: Allen Campbell Message-Id: <200005292132.PAA22232@campbell.cwx.net> To: freebsd-net@freebsd.org Subject: natd: failed to write packet back: Permission denied Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Natd is reporting: natd: failed to write packet back: Permission denied I have traced this to an interaction between Samba and natd. Samba appears to be broadcasting to the lo0 interface. I have configured smb.conf with `bind interfaces only = true' to the internal Ethernet interface and the loopback interface to prevent broadcasts to the ISP subnet. It doesn't surprise me to see Samba performing broadcasts on the configured interfaces. I want Samba on lo0 for the password change facility. I have found that natd is translating Samba broadcasts to the loopback interface into packets with the source address of the divert socket interface. Output from natd -v is shown here (216.17.176.12 is the external interface IP address): Out [UDP] [UDP] 127.0.0.1:137 -> 127.255.255.255:137 aliased to [UDP] 216.17.176.12:137 -> 127.255.255.255:137 natd: failed to write packet back: Permission denied My ipfw setup, based largely on /etc/rc.firewall, stops such packets. The relevant parts of the ipfw configuration is shown here: (dc0 = external interface) 00100 divert 8668 ip from any to any via dc0 00200 allow ip from any to any via lo0 00300 deny ip from any to 127.0.0.0/8 [ ... ] My question is; Why is natd interfering with the lo0 broadcast packets? The divert socket is specific to the external interface (dc0) and the lo0 broadcast packets are clearly from and to the loopback interface. I'm not an IP guru so I don't fully understand the implications of broadcasting to the loopback interface. Perhaps this is normal behavior for natd. What approach should I take? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message